Page 1 of 3 123 LastLast
Results 1 to 15 of 37

Thread: deprotecting memory of a dll image

  1. #1
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4

    deprotecting memory of a dll image

    I want to just overwrite a string in ntdll and it gets all bitchy at me..So I decided to smack it with a mallet, so to speak..This has a issue with NtProtectVirtualMemory currently but all is due in time..
    seh.inc fille [edit]'hmm I fixed it for you..'?[/edit]
    updated code..
    Code:
    .486
    .model flat,stdcall
    option casemap:none
    code SEGMENT DWORD flat PUBLIC  'text'
    Scstart:
    assume fs:nothing
    push 006c006fh ;- 8
    mov esi,dword ptr fs:[30h]
    add esi,20h;RtlEnterCriticalSection
    lodsd
    and eax,0ffff0000h;get ntdll's base;clear off the extra
    mov esi,[eax+170h];read reloc offset from PE
    mov ebx,[eax+174h];read reloc size from PE
    push eax ;- 4
    add esi,eax
    next_section:
    lodsd
    mov edx,eax
    lodsd
    sub ebx,eax
    sub eax,8h
    mov ecx,eax
    find_data:
    lodsw
    and eax,0fffh
    pop edi ;get base address
    add eax,edi
    add eax,edx
    push edi
    push esi
    test eax,edi
    jl next_entry
    mov esi, dword ptr [eax]
    cmp esi,edi;that shoud fix it Indy??
    jl next_entry
    mov edi,dword ptr [esp+8h]
    cmp dword ptr [esi],edi
    je NtProtect_Module
    next_entry:
    pop esi
    sub ecx,2
    cmp ecx,2
    jne find_data
    add esi,2
    jmp next_section
    end_this:
    mov eax,1
    ret
    NtProtect_Module:
    	mov edx,[esp+4h]
    	push esi
    	mov edi,edx
    	mov ecx,[edx+14ch]
    	add edx,[edx+148h]
    	add edx,ecx
    	mov esi,edx
    	xor eax,eax
    find_NtProtect:
    	lodsw
    	cmp eax,089b8h
    	jne find_NtProtect
    	sub esi,2
    	push ebp
    	push esp
    	sub esp,10h
    	mov dword ptr [esp],-1
    	mov dword ptr [ebp],edi
    	mov dword ptr [esp+4],ebp
    	mov dword ptr [ebp+4],0b2000h
    	add ebp,4
    	mov dword ptr [esp+8h],ebp
    	mov dword ptr [esp+0Ch],4h
    	add ebp,4
    	xor eax,eax
    	mov dword ptr [ebp],eax
    	mov [esp+10h],ebp
    	call esi
    	test eax,eax
    	jnz end_this
    	mov edi,[esp+4h]
    	pop esp
    	pop ebp
    write_string:
     	push 00730077h
     	pop eax
     	stosd
     	push 005f0032h
     	pop eax
     	stosd
     	push 00320033h
     	pop eax
     	stosd
     	push 0064002eh
     	pop eax
     	 stosd
     	push 006C006Ch
     	pop eax
     	stosd
    	ret
    end Scstart
     code ENDS
    regards BanMe



    NX SEH (promotion chain sec outside the modules).
    In the UM set flazhek MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE not succeed because of the established flag
    MEM_EXECUTE_OPTION_PERMANENT. In KM, these options are not used. Possible ways:
    o Load system module without its initialization and zeroing directory exclusions and table handler
    s in the configuration directory of the module. Code is placed in the data section of this module and installed atm
    ribut E for the section (region).
    o Promotion sec hand. In the UM through VEH. In KM by KD (puts severe restrictions) bagcheko
    in (private) or any other suitable mechanism. This requires the use of a graph to check the occurrence
    of Ip in the protected code described by the graph.
    o Dynamic copying procedures in place within the module. Also requires the rebuilding of the graph for an
    arbitrary implementation of the protected code.
    o The UM Trace Manager exceptions VEH before entering the service NtQueryInformationProcess (ProcessExecu
    teFlags) and Checking MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE.
    Last edited by BanMe; February 17th, 2011 at 15:23. Reason: edit [diamonds] comment to make it 'correct'.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  2. #2
    Entry from the blog:
    NX SEH(раскрутка цепочки сех вне модулей).
    В UM установить флажёк MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE не удастся изза установленного флажка
    MEM_EXECUTE_OPTION_PERMANENT. В KM эти опции не используются. Возможные способы:
    o Загрузка системного модуля без его инициализации и обнулением директории исключений и таблицы хэндлер
    ов в директории конфигурации модуля. Код помещается в секцию данных этого модуля и устанавливается ат
    рибут E для секции(региона).
    o Раскрутка сех вручную. В UM посредством VEH. В KM посредством KD(ставит жёсткие ограничения), багчеко
    в(приват) или любого иного подходящего механизма. Это требует использование графа для проверки вхожде
    ния Ip в защищаемый код описываемый графом.
    o Динамическое копирование процедур в место в пределах модуля. Также требует пересборку графа для произ
    вольной реализации защищаемого кода.
    o В UM трассировка диспетчера исключений в VEH до входа в сервис NtQueryInformationProcess(ProcessExecu
    teFlags) и установка флажка MEM_EXECUTE_OPTION_EXECUTE_DISPATCH_ENABLE.
    Then I reviewed the stack protection(Stpt). This allows to place SEH anywhere. Otherwise SEH is not called.

  3. #3
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    What of other options?
    like for instance..
    PEB linking and loading a internally crafted PE 'dll' and setting that 'module' to MEM_EXECUTE_OPTION_IMAGE_DISPATCH_ENABLE..and activate the ldr accordingly?
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  4. #4
    BanMe
    Your decision not to allow you to find an optimum between hiding and flexibility. Outside modules handler will not be called.)

  5. #5
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4


    http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx

    The "ExecuteOptions" key..hmm..interesting to find that..and and then reality warp..
    Code:
    if (CurrentProcess->Pcb.Flags.ExecuteEnable != 0) {
                CurrentProcess->Pcb.Flags.ExecuteDispatchEnable = 1;
                CurrentProcess->Pcb.Flags.ImageDispatchEnable = 1;
            }
    names..
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellcode.dll and as above..

    Indy testing and researching is my goal what happens along the way is anyone's guess..
    Last edited by BanMe; February 13th, 2011 at 02:50.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  6. #6
    BanMe
    Crash your code:
    Code:
    	mov esi, dword ptr [eax]		;read the data located..
    Eax = 0x7D205A51.
    *MZ + 0x170 refers to exception directory. Need to read the offset PE-header.

  7. #7
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    what version of windows are you using o0? maybe I neglected to mention this is XP sp3 x86 specific..

    Code:
    $+160    > 00000000     DD 00000000          ;  Exception Table address = 0
    $+164    > 00000000     DD 00000000          ;  Exception Table size = 0
    $+168    > 00000000     DD 00000000          ;  Certificate File pointer = 0
    $+16C    > 00000000     DD 00000000          ;  Certificate Table size = 0
    $+170    > 00F00A00     DD 000AF000          ;  Relocation Table address = AF000
    $+174    > E02E0000     DD 00002EE0          ;  Relocation Table size = 2EE0 (12000.)
    Last edited by BanMe; February 13th, 2011 at 15:45.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  8. #8

  9. #9
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Name:  Fails.jpg
Views: 602
Size:  43.4 KBName:  InWrite.jpg
Views: 607
Size:  50.7 KBName:  Changed.jpg
Views: 606
Size:  57.9 KB

    Your suggestion for improvement is noted..

    your on professional.. and my laptop is home edition..So to make it work on both you suggest a modification as such..

    From this:
    Code:
    	and eax,0ffff0000h;get ntdll's base;clear off the extra
    	mov esi,[eax+170h];read reloc offset from PE
    	mov ebx,[eax+174h];read reloc size from PE
    To this:
    Code:
    	and eax,0ffff0000h;get ntdll's base;clear off the extra
    	mov ecx,eax	
    	add ecx, dword [eax+3ch]
    	mov eax,[ecx+0a0h];read reloc offset from PE
    	mov ebx,[ecx+0a4h];read reloc size from PE
    Thanks
    Last edited by BanMe; February 13th, 2011 at 23:29.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  10. #10
    Yes, but this does not solve the problem of SEH. Its use does not make sense if the code is not described in the loader. And shellcode usually does not contain zeros..

  11. #11
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    SEH in the above was just a tool to see the 'data' available on stack when exception occurs, the SEH will fail, NtprotectVirtualMemory fails and try to
    stosd again causing the same error at same location of stack and 'protection'..

    real shell code below but prolly not up to snuff yet..its a 'learning creation'?
    Last edited by BanMe; February 16th, 2011 at 13:41.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  12. #12
    Same crash. In my worth to describe the problem, not the evil hacks )

  13. #13
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    Code:
    00401000 > 33FF             XOR EDI,EDI                              ; ntdll.7C910228
    00401002   8BD7             MOV EDX,EDI                              ; ntdll.7C910228
    00401004   EB 22            JMP SHORT minimali.00401028
    00401006   F1               INT1
    00401007   FFFF             ???                                      ; Unknown command
    00401009   FFF2             PUSH EDX                                 ; ntdll.KiFastSystemCallRet
    0040100B   FFFF             ???                                      ; Unknown command
    0040100D   FFF3             PUSH EBX
    0040100F   FFFF             ???                                      ; Unknown command
    00401011   FFF1             PUSH ECX
    00401013   FFFF             ???                                      ; Unknown command
    00401015   FFF2             PUSH EDX                                 ; ntdll.KiFastSystemCallRet
    00401017   FFFF             ???                                      ; Unknown command
    00401019   FFF3             PUSH EBX
    0040101B   FFFF             ???                                      ; Unknown command
    0040101D   FF5E 56          CALL FAR FWORD PTR DS:[ESI+56]
    00401020   C3               RETN
    00401021   47               INC EDI                                  ; ntdll.7C910228
    00401022   8BC7             MOV EAX,EDI                              ; ntdll.7C910228
    00401024   8BE2             MOV ESP,EDX                              ; ntdll.KiFastSystemCallRet
    00401026   0F34             SYSENTER
    00401028   E8 F1FFFFFF      CALL minimali.0040101E
    0040102D   66:83FF 18       CMP DI,18
    00401031   74 17            JE SHORT minimali.0040104A
    00401033   8BC2             MOV EAX,EDX                              ; ntdll.KiFastSystemCallRet
    00401035   3C 14            CMP AL,14
    00401037   74 14            JE SHORT minimali.0040104D
    00401039   8BD6             MOV EDX,ESI
    0040103B   83EA 14          SUB EDX,14
    0040103E   83EE 29          SUB ESI,29
    00401041   8932             MOV DWORD PTR DS:[EDX],ESI
    00401043   8962 FC          MOV DWORD PTR DS:[EDX-4],ESP
    00401046   8BF2             MOV ESI,EDX                              ; ntdll.KiFastSystemCallRet
    00401048  ^EB D7            JMP SHORT minimali.00401021
    0040104A   47               INC EDI                                  ; ntdll.7C910228
    0040104B  ^EB E0            JMP SHORT minimali.0040102D
    0040104D   33ED             XOR EBP,EBP
    0040104F   8BFD             MOV EDI,EBP
    00401051   8BF5             MOV ESI,EBP
    00401053   8BCD             MOV ECX,EBP
    00401055   83C1 1C          ADD ECX,1C
    00401058   83E9 14          SUB ECX,14
    0040105B   64:3329          XOR EBP,DWORD PTR FS:[ECX]
    0040105E   89242F           MOV DWORD PTR DS:[EDI+EBP],ESP
    00401061   66:23D7          AND DX,DI
    00401064   8955 18          MOV DWORD PTR SS:[EBP+18],EDX            ; ntdll.KiFastSystemCallRet
    00401067   83C5 18          ADD EBP,18
    0040106A   8BE5             MOV ESP,EBP
    0040106C   68 6FFF6CFF      PUSH FF6CFF6F
    00401071   33F6             XOR ESI,ESI
    00401073   8BDE             MOV EBX,ESI
    00401075   46               INC ESI
    00401076   F61434           NOT BYTE PTR SS:[ESP+ESI]
    00401079   46               INC ESI
    0040107A   46               INC ESI
    0040107B   F61434           NOT BYTE PTR SS:[ESP+ESI]
    0040107E   46               INC ESI
    0040107F   33C9             XOR ECX,ECX
    00401081   83C1 3C          ADD ECX,3C
    00401084   331411           XOR EDX,DWORD PTR DS:[ECX+EDX]
    00401087   83C1 3C          ADD ECX,3C
    0040108A   83C1 2C          ADD ECX,2C
    0040108D   335C0A FC        XOR EBX,DWORD PTR DS:[EDX+ECX-4]
    00401091   33D3             XOR EDX,EBX
    00401093   32D2             XOR DL,DL
    00401095   83ED FC          SUB EBP,-4
    00401098   8BF2             MOV ESI,EDX                              ; ntdll.KiFastSystemCallRet
    0040109A   8BFD             MOV EDI,EBP
    0040109C   A5               MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
    0040109D   A5               MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
    0040109E   83C7 FC          ADD EDI,-4
    004010A1   8307 F8          ADD DWORD PTR DS:[EDI],-8
    004010A4   8B0F             MOV ECX,DWORD PTR DS:[EDI]
    004010A6   33DB             XOR EBX,EBX
    004010A8   66:A5            MOVS WORD PTR ES:[EDI],WORD PTR DS:[ESI]
    004010AA   83C1 FE          ADD ECX,-2
    004010AD   3BCB             CMP ECX,EBX
    004010AF   74 31            JE SHORT minimali.004010E2
    004010B1   66:4B            DEC BX
    004010B3   43               INC EBX
    004010B4   43               INC EBX
    004010B5   83EB 11          SUB EBX,11
    004010B8   66:C1C3 1C       ROL BX,1C
    004010BC   215F FE          AND DWORD PTR DS:[EDI-2],EBX
    004010BF   2BD2             SUB EDX,EDX                              ; ntdll.KiFastSystemCallRet
    004010C1   3355 FC          XOR EDX,DWORD PTR SS:[EBP-4]
    004010C4   3357 FA          XOR EDX,DWORD PTR DS:[EDI-6]
    004010C7   3357 FE          XOR EDX,DWORD PTR DS:[EDI-2]
    004010CA   3B55 FC          CMP EDX,DWORD PTR SS:[EBP-4]
    004010CD   7C 0E            JL SHORT minimali.004010DD
    004010CF   8B12             MOV EDX,DWORD PTR DS:[EDX]
    004010D1   3B55 FC          CMP EDX,DWORD PTR SS:[EBP-4]
    004010D4   7C 07            JL SHORT minimali.004010DD
    004010D6   8B5D F8          MOV EBX,DWORD PTR SS:[EBP-8]             ; kernel32.7C817080
    004010D9   391A             CMP DWORD PTR DS:[EDX],EBX
    004010DB   74 07            JE SHORT minimali.004010E4
    004010DD   83C7 FE          ADD EDI,-2
    004010E0  ^75 C4            JNZ SHORT minimali.004010A6
    004010E2  ^EB B6            JMP SHORT minimali.0040109A
    004010E4   8BDA             MOV EBX,EDX                              ; ntdll.KiFastSystemCallRet
    004010E6   8B5424 04        MOV EDX,DWORD PTR SS:[ESP+4]             ; ntdll.7C910228
    004010EA   8B8A 4C010000    MOV ECX,DWORD PTR DS:[EDX+14C]
    004010F0   0392 48010000    ADD EDX,DWORD PTR DS:[EDX+148]
    004010F6   03D1             ADD EDX,ECX
    004010F8   8BF2             MOV ESI,EDX                              ; ntdll.KiFastSystemCallRet
    004010FA   33C0             XOR EAX,EAX
    004010FC   66:AD            LODS WORD PTR DS:[ESI]
    004010FE   66:3D B889       CMP AX,89B8
    00401102  ^75 F8            JNZ SHORT minimali.004010FC
    00401104   83EE 02          SUB ESI,2
    00401107   83EC 14          SUB ESP,14
    0040110A   C70424 FFFFFFFF  MOV DWORD PTR SS:[ESP],-1
    00401111   8B7C24 04        MOV EDI,DWORD PTR SS:[ESP+4]             ; ntdll.7C910228
    00401115   83C5 FC          ADD EBP,-4
    00401118   896C24 04        MOV DWORD PTR SS:[ESP+4],EBP
    0040111C   C745 04 00200B00 MOV DWORD PTR SS:[EBP+4],0B2000
    00401123   83C5 04          ADD EBP,4
    00401126   896C24 08        MOV DWORD PTR SS:[ESP+8],EBP
    0040112A   C74424 0C 040000>MOV DWORD PTR SS:[ESP+C],4
    00401132   83C5 04          ADD EBP,4
    00401135   33C0             XOR EAX,EAX
    00401137   8945 00          MOV DWORD PTR SS:[EBP],EAX
    0040113A   896C24 10        MOV DWORD PTR SS:[ESP+10],EBP
    0040113E   FFD6             CALL ESI
    00401140   85C0             TEST EAX,EAX
    00401142   75 25            JNZ SHORT minimali.00401169
    00401144   8BFB             MOV EDI,EBX
    00401146   68 77007300      PUSH 730077
    0040114B   58               POP EAX                                  ; kernel32.7C817077
    0040114C   AB               STOS DWORD PTR ES:[EDI]
    0040114D   68 32005F00      PUSH 5F0032
    00401152   58               POP EAX                                  ; kernel32.7C817077
    00401153   AB               STOS DWORD PTR ES:[EDI]
    00401154   68 33003200      PUSH 320033
    00401159   58               POP EAX                                  ; kernel32.7C817077
    0040115A   AB               STOS DWORD PTR ES:[EDI]
    0040115B   68 2E006400      PUSH 64002E
    00401160   58               POP EAX                                  ; kernel32.7C817077
    00401161   AB               STOS DWORD PTR ES:[EDI]
    00401162   68 6C006C00      PUSH 6C006C
    00401167   58               POP EAX                                  ; kernel32.7C817077
    00401168   AB               STOS DWORD PTR ES:[EDI]
    00401169   C3               RETN
    its getting easier as I practice and more fun to document with math
    Last edited by BanMe; March 21st, 2011 at 12:57.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  14. #14
    Code:
    .code
    SIGNATURE_LENGTH	equ 44H
    
    Ip proc
    
    ; LdrpFixSectionProtection:
    ; 	...
    ; 	6A FF		push -1
    ; 	E8 XXXXXXXX	call ntdll.ZwProtectVirtualMemory
    ; 	[LINE]
    ; 	68 XXXXXXXX	; ASCII "Set 0x%X protection for %p section for %d bytes, old protection 0x%X",LF
    ; 	[LINE]
    ; 	E8 XXXXXXXX	call ntdll.DbgPrintEx
    
    Local BaseOfCode:PVOID, SizeOfCode:PVOID
    	assume fs:nothing
    	mov eax,fs:[TEB.Peb]
    	mov eax,PEB.Ldr[eax]
    	mov eax,PEB_LDR_DATA.InLoadOrderModuleList.Flink[eax]
    	mov eax,LDR_DATA_TABLE_ENTRY.InLoadOrderModuleList.Flink[eax]
    	mov ebx,LDR_DATA_TABLE_ENTRY.DllBase[eax]	; ntdll.dll
    	mov ecx,ebx
    	add ecx,IMAGE_DOS_HEADER.e_lfanew[ecx]
    	assume ecx:PIMAGE_NT_HEADERS
    	mov esi,[ecx].OptionalHeader.BaseOfCode
    	mov edi,[ecx].OptionalHeader.SizeOfCode
    	lea esi,[esi + ebx - 4]
    	cld
    	mov SizeOfCode,edi
    	mov BaseOfCode,esi
    	sub edi,SIGNATURE_LENGTH
    Step:
    	mov ecx,SIGNATURE_LENGTH/4
    	xor eax,eax
    @@:
    	xor eax,dword ptr [esi + ecx*4]
    	xor eax,ecx
    	rol eax,cl
    	loop @b
    	cmp eax,60EC54DCH	; Hash
    	je Found
    	inc esi
    	dec edi
    	jnz Step
    	int 3
    Found:
    	mov ecx,SizeOfCode	
    	lea eax,[esi + 4]
    	mov edx,BaseOfCode
    	sub ecx,24H
    Scan:
    	cmp dword ptr [ecx + edx + 24H],eax
    	je @f
    	loop Scan
    	int 3
    @@:
    	lea esi,[ecx + edx + 23H]
    	cmp byte ptr [esi],68H
    	jne Scan
    	sub esi,20H
    	mov ecx,20H
    @@:
    	cmp word ptr [esi + ecx],0FF6AH
    	je Vale
    	loop @b
    	int 3
    Vale:
    	cmp byte ptr [esi + ecx + 2],0E8H
    	jne @b
    	lea eax,[esi + ecx + 7]
    	add eax,dword ptr [eax - 4]	; *ZwProtectVirtualMemory
    	
    	; push service arg's.
    	; Call Eax
    	
    	.if byte ptr [eax] != 0B8H
    	   int 3
    	.endif
    	
    	mov eax,dword ptr [eax + 1]	; ID
    	
    	.if Eax > 1000H
    	   int 3
    	.endif
    	
    	; push service arg's.
    	; mov edx,esp
    	; Int 2EH
    	; add esp,5*4
    	
    Ip endp
    end Ip
    Id.zip
    Last edited by Indy; February 16th, 2011 at 19:18.

  15. #15
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    LOL it toook me a bit to understand the 'construct' idea...the continuation of a idea I had for find cross platform signatures amazing..o0

    Your view may are to malware oriented my friend, lighten up and 'play' more(you already started to?) :P

    commented to show my ideas..

    1.shell coding is limited in by numerous thing 1 of which is access to numbers..
    2.the next issue is not having the ldr know anything about the code unless it's in a PE, with regards to relocs.
    Code:
    xor ebx,ebx;0 ebx
    jmp OverData;...
    dd 021365719h
    dd 0fffffff4h
    dd 0fffffff8h
    dd 0fffffffch
    dd 0fffffff1h
    Data_endings:
    pop esi
    push esi
    ret
    OverData:
        call Data_endings;get return address
        mov edi,esp;store esp
        sub esi,01ch;get data begginings
        mov esp,esi;move to stack
        pop edx;read data 21365719h
        sub esp,esi;esp = 4
        sub esi,esp;esi = entry point
        xor ebx,esp;ebx + 4
        mov esp,edi;restore esp
    rollitup:
        mov ecx,14h    
        rol edx,cl
        dec ebx
        dec ebx
        jnz rollitup;roll the data
        xor edi,edi
        xor edi,dword ptr [esi+14h];read fffffff1
        dec edi;fffffff0
        not edi;0000000f;
        and ecx,edi;ecx = 4
        and edx,edi;edx = 1
        add esi,04ch 
        push esi
        ret;return to ret +1
    self locating code is can be turned to 'self' relocating code and gives me grounds to explore more..other fun things in the code as well..But only to those that can 'see' the ideas.

    after execution of this code with ebx = 0;
    EAX ;remains as is..
    ECX ;4
    EDX ;1
    EBX ;0
    ESP ;remains as is
    EBP ;remains as is
    ESI ;entry of this routine
    EDI 0000000F
    [48]signature

    This really does nothing it was just a prototype of thought..
    Last edited by BanMe; April 5th, 2011 at 11:51. Reason: r
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

Similar Threads

  1. how to determine the end of gzipped image
    By dion in forum Linux RCE
    Replies: 2
    Last Post: December 28th, 2009, 08:26
  2. Reversing an unknown image format?
    By sporadic in forum The Newbie Forum
    Replies: 4
    Last Post: December 20th, 2003, 18:37
  3. Iso image file format
    By godel in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: October 31st, 2001, 15:49
  4. DLL image/icon extracting
    By Xrain in forum Tools of Our Trade (TOT) Messageboard
    Replies: 5
    Last Post: February 11th, 2001, 20:34

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •